While other MediaPost newsletters and articles remain free to all ... our new Research Intelligencer service is reserved for paid subscribers ...

Subscribe today to gain access to the every Research Intelligencer article we publish as well as the exclusive daily newsletter, full access to The MediaPost Cases, first-look research and daily insights from Joe Mandese, Editor in Chief.

Brands, Publishers Losing $1.1B To Redirected Links, Click Fraud

An ad-verification company has uncovered multiple hacker networks involved in auto-redirect attacks with payloads of mobile click fraud, tech support scams, and malicious installations. GeoEdge
estimates the scam could cost publishers and advertisers $1.13 billion annually.

GeoEdge identified seven distinct classes of redirect attacks as well as major hacker networks. These families
of attacks, and the hacker networks that use them, are responsible for hundreds of millions of monthly impressions.

In a few of the attacks, the auto-redirect was taking the user out of the
browser and into app stores. The redirect method in mobile devices usually redirects to the App Store or Google Play Store rather than simply mimicking the usual desktop tricks.

GeoEdge also
found evidence of click fraud. The mobile browser opens multiple invisible iframes and calls multiple URLs and ultimately executes fraudulent clicks. In this particular attack, GeoEdge identified a
whitelist of hundreds of domains where the attack would actually occur. The ad loads a script from Amazon AWS S3 and checks the domain to see whether it should execute. If the specifi­c domain is
on the whitelist, the code will embed hidden iframes in the browser and click on the ads, according to GeoEdge's security research, titled Auto-Redirects.

advertisement

advertisement

Broken down by damages,
auto-redirects cost the advertising industry an estimated $210 million annually and another $920 million through ads with click fraud.

Hidden redirects are programmed to run click-fraud
campaigns. The report, which analyzes about 650 million impressions, delves into redirects, evasive tactics, and how to discover redirect code.

Auto-redirects make up 48% of malvertising
events, with malicious URL pre-click far behind at 18%. The U.S. accounts for 48% of auto-redirects -- nearly five times as many as Canada, which comes at No. 2, and Australia at No. 3.

About
27% of malvertising events occur on desktops and 72% on mobile devices, with 57% on Apple iOS and 15% on Google Android.

Notifications that look like they come from Google or Apple falsely
alert users that their devices are infected or that they have been given a free iPhone, pushing them to download malware or dial a scam number.

The schemes are similar to those used for
non-redirecting attacks, but by taking users to an entirely separate window rather than a banner ad, the scam appears to be more legitimate.

For example, a webpage that is wholly constructed
to look like Microsoft’s site can seem more genuine than a simple banner ad. Attacking banks is difficult, while replicating a bank’s web page and getting users to hand over their info is
comparatively easy.

To mobile users, a "System Warning!" in the pop-up notification style that appears to come from the search engine or publisher's site can seem too real to ignore. This
makes mobile redirects particularly effective for click fraud and for phishing and mining personal data.

The hacker networks identified by GeoEdge redirected users to nearly a dozen apps in
the App Store and Google Play Store, including the Star Wars: Galaxy of Heroes game made by Electronic Arts.

Laurie, I have both laugh and cry at the same time when I read this. Crying for all the publishers who have gotten hurt by the scammers. The laugh is because the perfect ad delivery system that was developed around 15 to 20 years ago is not even close to being perfect. It's closer to giving a block of cheese to a pack of rats. When the pack is done with that block of cheeze they move on to something else to gorge on.

The current ad delivery system is not only outdated it has become a threat to many hard work publisheres. What needs to change is to get away from automation and going back to human to human intervention of the ads to be published. The problem is millions and billions of dollars have been invested in automation. Get rid of it now.

On our website we publish custom presented ads that include sweepstakes and contest for many Fortune company. These ads cannot be hacked or scammed. I put my 100 percent guaranteed safety on not being scammed. Only a few publishers can say the same. Yet, Many ad agency think it is too good to be true.

It time to have a serious chat about what is wrong with automated ads and how to fix the problem instead of ignoring the problem.